Sunday, August 19, 2007

Speeding up adobe reader 8

So I just went through the hassle of re-installing windows XP after a well needed upgrade. I'm still going through the process of re-installing the programs that I need to use from day to day and as the PDF file format is ubiquitous, you can't get away from using it really. I didn't bother looking for another reader other that the Adobe product, which is fine anyway, once it's loaded all those damn API's!

I've set about removing/disabling the API's I don't need to speed up the loading time. I found this page http://lifehacker.com/software/tweaks/speed-up-adobe-reader-8-263500.php which mentioned disabling the accessibility API. I moved it into a new folder and cut the loading time in half.

I moved the Annots.api which I think has something to do with stamps. Also moved the ReadOutLoud.api and MakeAccessible.api. This didn't make much of a difference to the start time but I'll keep slowly removing api's. One that did make a big difference was the PPKLite.api. This seemed to halve loading times once again. There is some loss in functionality, i.e. Adobe-Policy Server secured documents, PKI, encryption/decryption, etc. but if these features aren't of concern to you then it's no problem.

I've read other sites suggesting removing all but 3 API's but this seemed a bit extreme, I'm going to look into this further and see what else doesn't need to be there for me and I'll add to the post as I find out more. If you've got any tips, please comment.

Update (24th Aug 07) - So I've started having a problem with AdobeUpdater.exe becoming a huge CPU hog after opening reader. It's nasty, you can't even force quit the process, even on the cmdline using TASKKILL. After reading another blog, GameProducer.net, it seems to be a general problem with reader, something that I may not have broken just playing with. Anyways, I'm going to try to get to the bottom of this before I ditch reader altogether in favour of Foxit :)

Found out some more about the other api's. eBook.api is the DRM plug-in for using protected documents... trash it. DigSig.api is the digital signature plugin for signing documents but probably relies on the PPKLite api anyway and few will ever use this... trashed. DVA.api analyses documents to ensure they meet PDF specification and EScript.api allows JavaScript in PDF doc's (ECMAScript) so we'll leave these ones for now. EWH32.api allows PDF docs to be viewed within a browser, make your own choice here but I think I can do without that... trashola. HLS.api is some search highlighting thing for web searches within a web browser... bye bye. ImageViewer.api for multimedia stuff... hmmm, keep it simple adobe, it's just a reader... in the bin. IA32.api is internet access for acrobat, hopefully moving this will solve the updater issue I'm having! Multimedia.api... no prizes for guessing this one... gone! PDDom.api is more to do with accessibility... moved. Checkers.api actually seems to be important, I'll leave this for now. reflow.api adjusts content width to fit the window so I'll leave this too. SaveAsRTF.api... another no brainer, might need this functionality so I'll leave it too. Search.api is probably worth keeping also and maybe even Search5.api for now. SendMail.api lets you send the current document as an attachment through a mail client... who can't do this themselves? see ya! Spelling.api... I'm not creating documents and I've filled in all of one PDF form in my life... terminated! Updater.api has to go if the blog I mentioned earlier is anything to go by.

Anyway, I'll probably update this once more. Either the CPU hog issue is fixed and reader runs much lighter or I'm going to Foxit! hehe

2007 - Sept - 13: Update, the CPU issue with updater is still a problem, don't know what broke it but when I have more time I'll look into it. If you've seen this problem and know how to fix it, please post a comment!

Wednesday, August 15, 2007

Excellent Cheat sheet Resource

I was introduced to a fabulous resource for cheat sheets recently.

http://www.ilovejackdaniels.com/cheat-sheets

Check it out, there's cheat sheets on SQL Server, HTML, Regular expressions, Ruby on Rails, ASP/VBScript, JavaScript, MySQL, CSS, PHP and many more...

Tuesday, August 14, 2007

Scary XSS worm vid

In case you haven't noticed, there is a distinct video theme to my last few posts. There's a video I found on another site (I think it was xssnews or something like that, although it seemed to be down recently) about an xss worm vulnerability in a messaging app called meebo. The video shows how easy it is to exploit but does not show the actual final exploit code in keeping with responsible disclosure that most security experts adhere too.
http://milw0rm.com/video/watch.php?id=71
Check it out, it's pretty interesting (and scary). A good example of the dangers of rich user interfaces seen in web 2.0 apps if not properly secured.

cfAjaxProxy Tag

Here's a youtube video I found that gives a quick tutorial about using the cfAjaxProxy tag that is new to ColdFusion 8 to add some simple AJAX functionality...

Click on the "menu" button on the bottom-right to see other related videos...

Monday, August 13, 2007

New Curtin TV Campaign

Just wanted to embed the new Curtin University TV Ad (my old uni). The main Ad aired on August 12. It's a little controversial and a refreshing approach to the usual uni advertisements around this time of year... see for yourself...





Monday, August 6, 2007

Best Firefox extensions

Just wanted to list all the firefox extensions I use (or have used/tried in the past). There are a lot of good ones out there but it's sometimes hard to find good descriptions of what they actually do or a review of them. I will add to the post as I get time or from feedback I get.

Colorful Tabs
Alright so this isn't the most amazing extension but it grabs most peoples attention straight away and can be quite useful when you turn one of the few features on. You can have the colours done by doman. So if you have a few tabs from the same site open, they'll get coloured the same which helps grouping. Another tip that has nothing to do with the extension is that firefox allows you to drag tabs around to where you want them (at least in 2.0+, haven't tried in 1.5+). Just grab the tab and drag it to the other tabs of (similar) interest.

Download Statusbar
This extension places downloads on a little bar at the bottom of the browser (the size of the "find" bar). It is less in your face than the standard download manager and is pretty cool but it does fill up if you've downloaded many things and can have strange outcomes as it follows the active window. Not for everyone but give it a shot.

Firefox Showcase
Very cool way to quickly preview all your open tabs on one page. It will generate thumbnails of all the current tabs to show on one page, you can then click on the one you want to go to or close it from there. It's pretty quick and a great add-on.

del.icio.us Bookmarks
If you're not using del.icio.us yet, what the hell are you doing??? Seriously though, del.icio.us is (AFAIK) a yahoo thingy to allow you to store all your bookmarks online. No more going from computer to computer without access to all your favourite bookmarks. It allows you to view all your bookmarks on one page and to categorise them using tags. Very powerful and useful. The del.icio.us Bookmarks add-on completes the experience, making it so simple to add and view all your bookmarks. This has to be one of the best product/extension combinations out there. Go sign up now if you haven't already and start using the extension!

Firebug
Since I'm starting to get heavily involved in web development, it should be no surprise that a lot of my extensions are web dev tools. Firebug is one of the best. So powerful and not just limited to JavaScript (although much of it's best use is in debugging JavaScript and making changes on the fly). You can view the HTML and CSS of any page also and make changes which are rendered in real time right in front of you. It can highlight the CSS for you so you don't need to keep uploading/reloading etc. It's there right in front of you. Also the network monitor gives you an awesome breakdown of how the page loads, what takes the most time to download and how big each element is. A must for any developer or anyone that is curious and wants to have a play.

Web Developer
This is another really powerful extension. It allows you to turn off and on various things like JavaScript and CSS. So you can see how your pages degrade if viewed by browsers lacking support for various things (you could even browse this way if you're a security nut, although the NoScript extension is probably better for that). Again you can view the DOM as well as a mapping/visualisation of the CSS elements.

That's about all I have at the moment. Will try to add more soon. Stay tuned! If you've got any that I've missed, let me know!!

Saturday, August 4, 2007

Website security and stolen data

So today I got a call that few like to get....

A company I bought some products off advised me that they'd had their data stolen and my credit card number was among the list.

At first I was more bothered because of the late time of the call, I felt sorry for the poor guy trying to run a small business and now having the unenviable task of needing to call all his customers. I mean, it's inconvenient having to cancel my credit card (thank god no dodgy transactions had taken place yet) but really not a lot of harm has been done. I guess there is potential for harm still as the people that collected the details could use the addresses to stake out local residents and wait for the new cards to come in (but I would think this was an offshore operation).

The worse thing is that most people use the same, or similar username/password crudentials for all the accounts the have. This worried me a bit but I realised that only a couple of not very important accounts were the same.

I was quite surprised that this occurred because the website certainly looked professional, had the usual "secured by whatever images", was standards validated and had the processing taken care of by a merchant site (which are usually quite good with security). Only after the fact did I come back and read the the privacy policy and found that credit card numbers and other information was stored by the website itself with the reasoning to do with speeding up error tracking or transactions that were knocked back.

Personally, I would do anything possible to not require credit card information to be stored in the site database. It's just too risky. People also tend to trust the magic padlock too much, SQL injection attacks can still occur over https connections. In fact it makes it harder for intrusion detection software/hardware to track because all the transmissions are encrypted.

I also noticed that the site was done in PHP. Don't get me wrong, I love PHP and think it's great for quickly getting sites done and the number of really good frameworks available for it is awesome. But the problem is that if the developer doesn't have a good grasp on security techniques/methodologies, then it can leave a lot of holes open as the default security isn't great. It's not the fault of the language, just it's use in the implementation.

I tend to prefer inherently more secure languages nowadays, especially ColdFusion if you haven't noticed by the previous posts. I have to use it at work and have come to really appreciate it. It is very well structured, has introduced a lot of OO features, has great validation functions, deals with datasources like nothing I've ever known and can integrate with Java or .NET components now too. It's not perfect and using tags for everything can get annoying (although there are cfscript tags for writing stuff that looks more like actual code and many functions that feel java-ish too :) but overall I recommend giving it a try. Very easy to pick up.

Man I've gone off topic... oh well

Wednesday, August 1, 2007

iPhone security problems?

Was reading up on security focus recently (one of my fave sites) and noticed quite a few iPhone posts of late.

The phone's already been opened up to try to find security flaws, etc. http://www.securityfocus.com/brief/538 So there seem to be issues with Safari (although this is not an iPhone specific problem) as well as bluetooth (good old bluetooth hacks, will they ever end? hehe). The researchers still indicate that it is one of the most secure smartphones out there ( http://erratasec.blogspot.com/2007/07/our-first-iphone-bugs.html ).

Interestingly, Apple is handling the updates through iTunes which seems like a great idea considering carriers aren't set up to do this properly and most mobiles don't have a good firmware/software update model. Although the choice to run all processes with full admin privileges seems a tad crazy! See here... http://www.securityfocus.com/brief/552

Apparently there will be more information released tomorrow by one researcher so that should be interesting.